Monday 27th of June

9-9:15
Welcome

9:15-10:30
Invited talk

A
Non-Standard for Trust

Steve Marsh, Communications Research Centre, Ottawa (Canada)

Abstract

More and more, our technological use
is moving out of the office and
classroom and onto the street.Mobile technologies are used for any
number of
purposes, with and without forethought. This, their vast range of
users, and
the ubiquity or technology extending to 'Internet of Things' can be
recognised
as an area of concern related to topics as diverse as privacy, social
mobility,
crime, information security, and social disruption.

The main problem related to security
(importantly, of device,
information, and person) is the inherent situatedness of the device,
the fact
that unique relationships exist between environment, device, and user,
and that
new and unforeseen contexts appear every day. More traditional security
and
trust models are inadequate to handle this plethora of context.
Moreover, the
imposition of standard models of trust and security on unique
individuals is a
problem for gaining acceptance (and ironically, trust).

This talk will explore the
situatedness of mobile device usage, the
uniqueness of individual device-user relationships, and how we can
leverage
these to create a non-standard, 'trust in the foreground' paradigm to
'advise,
encourage, and warn' the humans in the loop of the Internet of Things
and
People. Relevant current work, such as Device Comfort and
trust-enablement,
will be examined.

11:00-12:30. Architectures
and
Protocols

A
Proof-Carrying
File
System with Revocable and Use-Once Certificates

Jamie Morgenstern,
Deepak Garg and Frank Pfenning

Secure
architecure
for
the integration of RFID and sensors in
personal area Networks

The Internet is a
primary arena for human interaction, e.g. for delivering commercial
and civic
services and for building social communities. At the same time, the
Internet is
in many ways a dangerous place because we expose ourselves to risks
that are
difficult to manage. It is therefore
realistic to assume that people could stop
doing business on the Internet
for a shorter or longer period if they perceive
the risk to be too high. From the perspective of the
service providers the
negative effect could be anything from a reduction in business to large
scale
defection from online services. Such a change in behaviour does not
need to be
a rational reaction to real threats or serious security incidents, but
could be
the result of irrational perceptions and mass psychosis. In order to
avoid the
latter scenario the public must be induced to have trust in the online
platform. In fact it has become a primary concern of online service
providers
to tightly control the dissemination of information about security
incidents
and vulnerabilities, precisely because negative publicity of this type
undermines people's trust, resulting in a reduction in business. Online
service
providers clearly see a need to be perceived as having a secure IT
infrastructure and Web interface, and this should primarily be achieved
by
actually focusing on real security. However there is a danger that
organisations will implement measures aimed at inducing trust, but that
in
reality give little or no real added security assurance. This creates a
market
for "fake security", i.e. with the main purpose of giving the
impression of security, and to a lesser extent of providing practical
security.
The need for being perceived as secure can even be amplified when
security
technology companies try to expand their marked by inducing fear,
thereby
creating an effect of "trust extortion" in the sense that companies
feel obliged to buy security services that induce the impression
secure. This
talk focuses on certain aspects of the security industry that seem to
be more
aimed at giving the impression of security than of giving real
security.

11:00
-12:30
Access Control

Risk-Aware
Role-Based
Access
Control

Liang Chen and
Jason Crampton

Hiding
the
Policy
in Cryptographic Access Control

Sascha Müller and
Stefan Katzenbeisser

Automated
Analysis
of
Infinite State Workflows with Access Control
Policies

Alessandro Armando
and Silvio Ranise

14:00-15:30
Authentication and
Authorization

New
Modalities
for
Access Control Logics: Permission, Control and
Ratification

Valerio Genovese
and Deepak Garg

Mutual
Remote
Attestation:
Enabling System Cloning for TPM based
Platforms